Target Breach: 5 Unanswered Security Questions

Investigators have yet to explain how Target was hacked, whether BlackPOS malware infected its payment servers, and whether the same gang also struck other retailers.

Top 10 Retail CIO Priorities For 2014

(Click image for larger view and slideshow.)

How did hackers break into systems at Target?

Officials at the nation's second-largest discount retailer have admitted that attackers stole credit and debit card details for 40 million customers and personal information pertaining to 110 million customers.

According to investigators, attackers obtained the point-of-sale (POS) data using the BlackPOS memory-scraping malware, which is also known as Kaptoxa, or "potato" in Russian. The same malware was reportedly also used against Neiman Marcus and up to six additional as-yet-unnamed retailers.

But a number of key questions surrounding the attacks against Target and other retailers remain unanswered.

1. Did malware infect Target's payment systems?Target has yet to confirm how the BlackPOS malware was used, leaving open the question of whether Internet-connected POS terminals were compromised. Many security experts don't believe that was the case.

"We are still left to infer that the method of attack was to compromise manager credentials... and that the target was enterprise payment processing servers -- not 'point-of-sale,' not store controllers -- running Windows," information assurance expert William Hugh Murray, an associate professor at the Naval Postgraduate School, said in a recent SANS Institute newsletter. "The most interesting thing about the malware is that it exploited system code, not application-specific code, to access application traffic."

In other words, based on what's known about the attacks, attackers likely gained access to the targeted system by guessing or using stolen access credentials. Furthermore, the malware likely didn't infect any POS terminals or applications running therein, but rather the Windows-based payment system that was used to manage all of those POS terminals.

Malware such as BlackPOS is tailor-made to intercept credit card data -- which is otherwise encrypted -- after it's been decrypted, to be checked. "To access the decrypted transaction data, malware is deployed onto the system that carries out external verification. This malware monitors the currently running processes, looking for one of a known list of processes that carry out the transaction verification," read an EPOS Data Theft threat advisory released Tuesday by McAfee, referring to electronic point-of-sales (EPOS) systems. "When the malware detects data about a financial transaction, it copies or 'scrapes' the decrypted data from the processes memory and writes it to a local file." That list of intercepted credit and debit card credentials is then sent to a remote server so attackers can access the data and then either resell it or use it themselves.

2. Who attacked Target?A 23-year-old Russian man, Rinat Shabayev, this week confirmed that he helped author the BlackPOS malware. But in an interview with Russian media outlet LifeNews that was broadcast Tuesday, he claimed to be innocent of selling Kaptoxa for malicious purposes, saying that it had been developed as a penetration testing tool rather than for the cybercrime market.

"If you use this software with malicious intent, you can earn well, but it is illegal," Shabayev told LifeNews.

Shabayev's identity squares with information published earlier this week by cyber-intelligence firm IntelCrawler. While the firm Friday named a 17-year-old Russian who used the alias "ree[4]" (a.k.a. "ree4") as a suspect in developing the malware, it revised that assessment earlier this week after questions surfaced over the company's findings. Instead, the firm named Shabayev as the malware's principal developer, saying that he too had used the ree4 handle. After updating its report earlier this week, however, Intelcrawler later excised the names of the two people it suspected of having been the principle developers behind Kaptoxa.

3. Why didn't Neiman Marcus come clean sooner?One of the biggest unanswered questions surrounding the campaign against retailers concerns the identity of the other businesses -- supposedly, there may be six more in addition to Neiman Marcus -- that were also recently compromised. On the other hand, the retailers may have yet to fully ascertain the extent of the breach and are putting working defenses in place.

Neiman Marcus -- which has yet to disclose how many credit and debit card numbers it lost -- has been criticized for not coming clean about the breach more quickly. The firm didn't confirm that it had been breached until Jan. 10, the same day that security journalist Brian Krebs publicized that payment providers had traced fraudulent purchases to cards used at the luxury retailer.

Likewise, Target didn't reveal its information security breach, which happened from Nov. 27 to Dec. 15, until Krebs reported on Dec. 18 that investigators were looking into a potential breach at the retailer. Unlike Target, however, which publicized the breach and endured a downturn in holiday shopping volumes, Neiman Marcus didn't disclose its 2013 breach -- which began in mid-July and lasted until December -- until after the busy shopping period.

While 46 states have mandatory data breach notification laws, the timeline for reporting a breach varies.

Neiman Marcus officials, however, have defended themselves against claims that they delayed issuing a breach notification to affected customers, saying that they reacted as rapidly as possible. "We quickly began our investigation and hired a forensic investigator," read a statement released by the retailer. "Our forensic investigator discovered evidence on Jan. 1st that a criminal cybersecurity intrusion had occurred. The forensic and criminal investigations continue."

By not disclosing the breach, furthermore, Neiman Marcus bought itself time to harden its systems to better defend against repeat attacks. An official at the retailer, on a call last week with credit card companies, said that the Neiman Marcus breach wasn't fully contained until Jan. 12, the New York Times reported.

4. Did the same gang hack Target and Neiman Marcus?Are the Target and Neiman Marcus attacks related? While the same type of malware was reportedly used in both attacks, investigators have yet to comment about whether the same gang took down both retailers. Last week, meanwhile, Neiman Marcus said that it had "no knowledge of any connection" between Target's breach and its own.

5. Did Target's attackers also hit Easton-Bell Sports?The latest business to disclose that it too was hacked and had payment data stolen in December 2013 was Easton-Bell Sports, a California-based sports equipment and clothing manufacturer. The company, which makes Bell helmets and Giro cycling gear, said that information on 6,000 customers who shopped on its website was stolen. The breach reportedly lasted from Dec. 1 to Dec. 31, and stolen information may have included names, addresses, telephone numbers, email addresses, credit card numbers, and card security codes, the company said in a statement.

An Easton-Bell Sports spokesman didn't immediately respond to an emailed request for comment about whether memory-scraping malware was used, or if the data breach appeared to involve the same gang or gangs that successfully attacked Target and Neiman Marcus.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Timing. That's the primary suggestion they might be related, and it may be a stretch. Because yes, it wasn't a POS-data-focused hack.

But don't forget that Target also lost 70 million customers' names, email addresses, and other personal information. That didn't come from POS data streams, which suggests that hackers may have gained access to more than just the payment processing servers.

Then again, different gangs may have taken down each of the retailers mentioned in the story. Investigators have yet to say.

If all card holders were as quick as you to setup email alerts and notifications then it would become a losing game right from the beginning for anyone to steal information. Unfortunately, I feel that the vast majority of the 40 million affected are not looking into security best practices. This creates a need for financial firms to increase their standards.

Knowinng specifics is important to all but what does running a Java VM mean? Lot's of current scare tactics regarding Java security are unfounded if you aren't running applets in browsers with an unsupported or unpatched version of Java. Hopefully the security folks don't preach a scorched earth policy in the direction of Java or Windows. If the POS software, whatever it or the OS is, was running with unneccessary elevated privileges, Target already has three strikes.

If the card isn't replaced, what makes the stolen data finite? My card was part of the Target breach and it has not been replaced. I added an e-mail alert for charges of $10 or more (the lowest amount allowed by my bank). The enhanced protection is if I catch the fraud and report it. Then I'll get a new card. Until that happen's, it's quite possible that criminals could blend small charges as long as they are not from overseas. Those charges are more scrutunized by institutions. (I once bought a cable for a few bucks from a Chinese on-line supplier. My bank shut down my card thinking fraud. When my dinner charge was rejected, it took a 20 minute phone call to get it resolved. Of course it didn't help that the supplier had an unrecognizeable funky name and was located in Taiwan!)

"30 out of 48 antivirus engines are detecting the malware". I wonder what restrictions are stopping 18 antivirus engines from adding detection definition for this particular malware. One reason that I can think of is that maybe virus definitions are not easy to share between antivirus firms -- copyright issue. Or maybe this threat is being viewed as low risk by some, because their customer base is from a different segment.

No, not an OS. But yes, before more details emerged, it could have been Windows underneath, or Linux runing the POS device. The terminals themselves could also have been running a Java VM, with Internet-connected Java apps runnning on these devices, opening up the possibility that they'd somehow been exploited. But that doesn't appear to be the case.

BlackPOS is Windows malware. But some POS terminals run Windows. Others, Java. So there was a question -- which hasn't yet been officially answered -- about whether attackers managed to infect POS terminals themselves, for example if they were Internet-connected and set to use a default password. Then a secondary hack of a system inside Target might have served as the command-and-control server (mothership), and routed stolen data via FTP to Russia.

That's crucial information for other retailers looking to avoid a copycat hack against their systems.

But based on what's known now, it looks like the payment system was hacked. From a time/effort standpoint, this makes a lot of sense. Launch a phishing attack (again, just a guess) that manages to sneak malware onto the Windows system that manages payment processing -- i.e. sends/receives data from all of those POS terminals in stores -- and you have an elegant (from an attacker's perspective) way to siphon large amounts of card data. Add the twist of only sending this information out of the firewall to an attacker-controlled server during working hours, and you make related data exfiltration tougher to spot.

PIN codes are encrypted, and there's a debate in the secrity community now about whether they can be cracked. (Or if it will be worth the effort.)

In terms of stealth moves -- hello "Office Space" -- in fact card data has a finite life, thanks to "card brands" either invalidating those numbers and issuing new cards (as some have done) or else using "enhanced fraud protection measures" (i.e. not paying for the cost of reissuing a card, and hoping to spot any fraudulent transactions -- more fun for cardholders). So there's an impetus for carders to move the goods quickly.

On that front, Brian Krebs said via Twitter yesterday: "Another set of 2 million cards stolen from Target ("Eagle Claw") goes on sale at Rescator sites (all part of batch stolen 11/27 - 12/15)."

Published: 2015-03-31The build_index_from_tree function in index.py in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree.